Case Study: Ethics and Vulnerability disclosures. Background The relationship between system vulnerabilities and ethical hackers (also known as security researchers) is a complex and interdependent one. On one hand, it can be near-impossible for companies to develop complex systems and platforms without any vulnerabilities for hacking. It is why any of the apps or programs we use are regularly required to be updated: while at times it might be to release new features, more commonly it is to provide fixes for bugs or vulnerabilities. The role of internal teams to identify bugs and vulnerabilities is limited as they can find it difficult to consider alternative perspectives on threat potential. Increasingly, third parties provide a role in identifying issues and disclosing these to companies so they can develop fixes. Some companies have embraced this process, and many now provide vulnerability disclosure policies to provide guidance for ethical hackers. The role of third-party ethical hackers are to identify vulnerabilities and advise companies in an effort to a) improve the overall platform performance, and b) be rewarded for their efforts in identifying platform risks. These rewards are often known as bounties. Typically, those who work in the space of identifying system vulnerabilities collaborate with the impacted platforms, with both parties benefiting from the reward of a more secure platform and a financial reward for the efforts of those identifying the issues.

Windows Zero-Day On 22 November 2021 Bleeping Computer reported that security researcher Abdelhamid Naceri released what is known as a zero-day vulnerability relating to Windows 10, Windows 11, and Windows Server. (A zero-day vulnerability is when a third-party releases details of a vulnerability publicly when there are no known fixes for the issue.) In detailing the vulnerability, Naceri advised that threat actors with access to a device can elevate their privileges from a status of standard user to a system privilege, enabling greater ability to access and interfere with the impacted Windows systems. Providing details of how to exploit a vulnerability without any known way to prevent it from happening puts all users of the impacted Windows systems at risk. This means that anyone with malicious intent could exploit the vulnerability and Microsoft would be unable to provide assurances to their enormous user base. Within days, it was reported that threat actors had begun abusing the vulnerability with malware. What motivated Naceri to take such an action? Naceri defended the decision to release the details of the vulnerability because he was frustrated by Microsofts decreasing payouts in their bug bounty program. On Twitter, @MalwareTechBlog stated Under Microsofts new bug bounty program one of my zerodays has gone from being worth $10,000 to $1,000

Response Part 1: Establish the facts (200 words) 1. Outline a chronological sequence of relevant events of the issue and the actions that occurred after (i.e. as a consequence of the respective events you have outlined). 2. Clearly state the ethical dilemma/s as you see them. 3. Choose one ethical dilemma as the focus of your assignment. a. State why you believe this ethical dilemma is the more important dilemma of the ones you have identified. Response

Part 2: Analysing the ethical dilemma and options (500 words) 4. Come up with a list of the variety of ways you could resolve the dilemma, without judgement (even options you might immediately recognise as wrong) 5. Assess the ethical dilemma from the perspectives covered in this subject. a. Law, guidelines, policies i. Does the law provide an answer to the ethical dilemma? ii. Is there a violation of corporate or professional codes and responsibilities? iii. Do informal guidelines (industry practice or culture, etc) provide guidance? b. Ethical principles i. Consequentialism 1. Could an option to resolve the dilemma minimise harm or result in a better outcome for the people involved? ii. Deontology (and Kants Categorical Imperative) 1. In the actions considered, are (human) rights being impacted? Are duties or responsibilities not being met? 2. Would it be okay if everyone chose this option or acted in this way? Are people being treated as ends rather than means? iii. Virtue ethics 1. Are actions to resolve the dilemma centred on the principles of fair play, trust, compassion, kindness at play?

Response Part 3: Your evaluation of the outcome (300 words) 6. This section centres on your opinion based on the ethical analysis you have undertaken. State your viewpoint on what you believe is the best way to resolve the dilemma, based on your analysis of the options and ethical considerations. a. Be sure to elaborate in the context of two (2) theoretical approaches in ethics that have been discussed in this subject. b. Why do you think your recommendation is the morally right one to make?